The Office of Foreign Assets Control (OFAC) of the United States Treasury Department issued an advisory It creates a painful dilemma if you are struck by ransomware.
You already have serious problems if you are struck by ransomware:
- Your critical files and possibly all your computers are locked up.
- Your work has come to a standstill.
- You don't yet know if your backups were destroyed or corrupted.
- You may be trying to figure out how to pay by Bitcoin before a deadline.
Now you face a dilemma:
- Don't pay the ransom and lose days of work and current files, or more.
- Pay an exorbitant ransom and face possible civil penalties to boot.
There are strong arguments for reporting the ransomware attack to the authorities. It is the right thing to do. Plus it can minimize your exposure to civil sanctions if you determine, reluctantly, that you need to pay the ransom.
According to DLA Piper's analysis of the OFAC advisory:
"OFAC will also consider a company’s self-initiated, timely and complete report of a ransomware attack to, and cooperation with, law enforcement to be a significant mitigating factor in determining enforcement if there is later determined to be a sanctions nexus."
The basis for the civil sanctions are OFAC regulations. They prohibit payments to cyber actors who appear in the List of Specially Designated Nationals and Blocked Persons. The list is incredibly long and replete with multiple aliases for individuals and organizations.
The number of ransomware families is also amazingly long. It would be nearly impossible to determine whether a particular ransomware attack originated from someone or some organization on the list. That is, unless the attackers identified themselves. That might be possible by examining the ransomware message. Or perhaps the ransomware variant is a well-known one.
Hopefully you won't find yourself in the unenviable position of having to decide whether to pay or not to pay a ransom. If you do, make an effort to identify the source of the ransomware and whether it is from someone on the government block list. Report the incident to the authorities. Those actions may minimize the legal consequences if you find it necessary to pay up.
Of course the best actions to take are those that prevent cyber crime. Ironically, the most effective defenses are purchased after firms have suffered through the downtime and expense of having all their files encrypted or stolen by cyber thieves.